In the security breach du jour, the State of Ohio announced that private information (names, social security numbers, and maybe more) on 64,000 state employees was compromised.
They were stolen from a state intern’s car, where they were written to a portable storage device (thumb drive? USB hard drive? the story does not say).
The practice of taking state information to employees’ homes is apparently the official policy. A news article reads, “Under protocol in place since 2002, a first backup storage device is kept at a temporary work site for a state office along with the computer system that holds all the employee information, and a second backup device is given to employees on a rotating basis to take home for safekeeping, officials said.”
They go on to say that the security procedure failed.
I take issue with that. The security procedure was carried out, but it was flawed from the beginning. The POLICY failed to take into account the risks associated with storage of official (and private) information away from work premises, in employee homes where the employer has no control or awareness of safekeeping practices.
Link to news article: